Get Instahack License - A Massive instagram Bruteforce tool. Contact Us Buy Now!
Home

Rootkit

 As we are familiar with computer viruses, how their code internally works, we will be going into little in-depth about what botnets and rootkits are and how they work; what are their types and where hackers use these terms. First of all, we will be dealing with Rootkits.



Table of Contents
1. What is Rootkit?
2. Root Modes of Windows Operating System
3. Types of Rootkit
4. Techniques Used by Rootkits
5. Countermeasures Against Rootkits

What is Rootkit?

Rootkits are a collection of tools or sets of applications that allow the administrator-level access to a computer or a network. These rootkits are fed into the host computer by a cracker (malicious hacker) either by exploiting a known vulnerability of the system or by cracking the password. These rootkits hide their presence using some of the low layers of the operating system, which makes them almost undetectable by standard anti-malware software. So the name implies where 'rootkit' is a compound of two words 'root' and 'kit' where root describes the most privileged user on the computer, and kit describes the set of tools to implement. The rootkit has a synonym with malware, which describes malware with root capabilities.

Root Modes of Windows Operating System

The kernel is the primary component of an operating system. It serves as an intermediate connector between the application and the hardware. The Windows kernel has been designed with flexibility in mind. The windows OS kernel code runs in the highest privileged mode in the system, which is the Kernel-mode. As because all software and programs don't require system resources and hardware manipulation, a lower privileged mode also exists knows as User-mode where this application runs.

Types of Rootkit

As in the Windows operating system, there are two modes a code can execute in: the unrestricted kernel mode and the private, restricted user mode. Rootkits can exist in both of these modes. Rootkits can be either legitimate or malicious; i.e., they may get installed as a part of the legitimate application or through some Trojans via some suspicious email attachments. There are two types of windows rootkits which are aptly called:

  1. User-mode Rootkits: are those rootkits that function in user-mode or the low privileged level of the processor ring. The effect of these types of rootkits limits on the user level only via an affected application. If the rootkit wants to infect other applications, they'd need to do the same work in every application's memory space. They operate mostly be hijacking or hooking function calls.
  2. Kernel-mode Rootkits: operates on kernel-mode or highest privileged level, i.e., in the kernel space. It makes rootkits powerful as they reside in the lowest level of the operating system, which means its controlling capability is strong over the hardware and the operating system. Most kernel-level rootkits take advantage of hooking execution, which then transmits to kernel mode and utilizes a loadable kernel module (LKM) to enhance kernel functionalities with rootkit code. It has a subtype also - the 'bootkits,' which infects the startup programs and codes like MBR (Master Boot Record), VBR (Volume Boot Record), and effects like boot sector viruses and creates malfunction at the time of booting.

Techniques Used by Rootkits

Rootkits use three different techniques that were coded in them. These are:

  1. Hooking: is the most common function of al rootkits, which involves hooking the application's execution flow. They re-direct the normal flow of execution and point to its code. It is internally done when the API calls and the system function calls are intercepted.
  2. DLL Injection: is the mechanism of loading a dynamic link library (DLL) into a running process address space. In the case of malware and rootkits, the DLL injection attack is a malicious one with a DLL file which exports malicious functions and patches or modifies the registry key. Since these malicious DLL can be loaded easily, so it can be injected into processes of USER32.DLL.
  3. Kernel Object Manipulation: is considered to be the most advanced technology used by malware writers. This type of attack contains kernel structure modification, bypassing the kernel object manager to avoid access checks. Most of the data structure of the kernel gets modified as the kernel is itself under the siege of this attack. Although this technique is advanced-most, it's complicated too. Manipulating the kernel object needs the understanding of that object in detail also.

Countermeasures Against Rootkits

Though some vendors exist in the market, which sells software that can detect the presence of rootkit such as Microsoft, Sysinternals, Symantec, F-secure, etc. If a rootkit is detected, the only sure way to get rid of this is to completely erase the computer's hard drive or format the operating system to reinstall it.


    Previous Chapter :  Computer Virus ❯                                     Next Chapter : Botnet 


Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.